1
Database Security
&
Compliance
with
Audit Vault and
Database Firewall
Pierre Leon
Topics
•
Encryption
•
Authentication
•
Authorising highly privileged users
•
Access control by data classification
•
Network-based access control & auditing
•
Production data used elsewhere
4
Encrypting Data At Rest
Oracle Advanced Security
Disk
Backups
Exports
Off-Site Facilities
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata and Oracle Advanced Compression
6
Transparent Data Encryption
Automatic 2-Level Key Management
Column / Tablespace keys encrypted by MASTER KEY Master key stored
in PKCS#12 wallet or HW Sec Module!
Security Admin opens wallet/HSM
containing the MASTER KEY Table/Tablespace keys encrypt data on disk
Strong Authentication / Network Encryption
Oracle Advanced Security
• Standards-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
14
•
Supported authentication servers
– Oracle Internet Directory (EUS)
– Kerberos
– Win2K/XP (Active Dir)
– Entrust (PKI) – Radius API - Smartcards - SecurID tokens - Biometric devices
Authentication
Service
Oracle
Database
Strong Authentication
Oracle Advanced Security
Benefits
! Authentication that is stronger than passwords
17
User authenticates with password, Kerberos or X509v3 certificate over SSL Authorise Database Privileges
Client
Verify Fetch Global Roles from DirectoryOID/OVD/ODSEE stores user credentials
and roles
Active Directory Kerberos Authentication
Centralised User and Role Management
Enterprise User Security
A
B
Chained Authent. Example
Centralised User and Role Management
Enterprise User Security
•
Benefits
–
Centralised user &
role provisioning
–
Reduce in-database
user accounts
–
Works with existing
repositories
–
Plugs into Identity
Management solutions
23
Protecting Sensitive Data Inside The DB
Oracle Database Vault
• Automatic and customisable protective realms and DBA separation of duties
• Enforce who, where, when, and how using rules and factors
• Enforce least privilege for privileged database users
• Prevent application by-pass and enforce enterprise data governance
• Securely consolidate application data or enable multi-tenant data management
27
Protecting Commands
Command Rules & Authorisation Factors
• Rules to control how users can execute almost any SQL statement regardless
of the Realm in which the object exists
• Command rules can take into account 30+ built-in or custom Factors
• Command rules can be system-wide, schema specific, object specific, and
comprised of “rule sets”
• Out-of-the command rules for Oracle and non-Oracle applications
Procurement HR Finance Application User - Name - Authentication type - Session User
- Proxy Enterprise Identity
30
Out of the Box Protection Templates
For Application Data
•
Pre-built policies include
realms and command rules
•
Prevent DBA from accessing
application data
•
Prevent privileged users from
tampering with application
objects
•
Complements application
security
•
Transparent to existing
applications
•
Customisable
Oracle E-Business Suite 11i / R12
PeopleSoft Applications Siebel, i-Flex
JD Edwards Enterprise One SAP
Infosys Finacle
ACCESS CONTROL
BY
32
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
• EAL4+ certified
Data Classification
Oracle Label Security
Confidential Sensitive Transactions Report Data Reports Sensitive Confidential Public
ENTERPRISE-WIDE
NETWORK-BASED
41
Oracle Audit Vault and Database Firewall
Detective/Preventive Control for Oracle and Non-Oracle Databases
Audit and Event Repository
"
Based on proven Oracle Database technology
– Includes compression, partitioning, scalability, high availability, etc.
– Open schema for flexible reporting
"
Information lifecycle management for target specific data retention
"
Centralised web console for easy administration
43
Expanded Enterprise Auditing
"
Databases: Oracle, SQL Server, DB2 LUW, Sybase ASE
"
New Audit Sources
– Operating Systems: Microsoft Windows, Solaris
– Directory Services: Active Directory
– File Systems: Oracle ACFS
"
Audit Collection Plugins for Custom Audit Sources
– XML file maps custom audit elements to canonical audit elements
Oracle Audit Vault and Database Firewall
SQL Injection Protection with Positive Security Model
White List
Applications Block
Allow
SELECT * from stock
where catalog-no='PHE8131'
SELECT * from stock where catalog-no='
' union select cardNo,0,0 from Orders --'
• “Allowed” behavior can be defined for any user or application
• Automated white list generation for any application
• Out-of-policy database transaction
detected and blocked/alerted
45
Oracle Audit Vault and Database Firewall
Constraining Activity with Negative Security Model
• Stop specific unwanted SQL interactions, user or schema access
• Blacklisting can be done on factors such as time of day, day of week,
network, application, user name,
OS user name etc
• Provide flexibility to authorised users while still monitoring activity
SELECT * FROM v$session Block Allow + Log Black List DBA activity via Applications SELECT * FROM v$session
Oracle Audit Vault and Database Firewall
Flexible Policy Enforcement
• SQL Grammar Analysis reduces millions of SQL statements into “clusters”
• Decision time is not influenced by the number of rules in the policy
• Enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
Block Log Allow Alert Substitute
SELECT * FROM accounts
Becomes
SELECT * FROM dual where 1=0
47
Audit and Event Data Security
"
Soft Appliance
– Hardened OS
– Preconfigured database
"
Fine-grained Administrative Groups
– Sources can be grouped for access authorisation
– Individual auditor reports limited to data from the ‘grouped’ sources
"
Separation of Duty
– Separate administrator and auditor roles to restrict access
– Super-auditor manages data access permissions per source per
‘auditor’ user
"
Alerting enhancements
Performance and Scalability
"
Audit Vault
–
Supports monitoring and auditing multiple hundreds of
heterogeneous database and non-database targets
–
Supports wide range of hardware to meet load requirements
"
Database Firewall
–
Decision time is independent of the number of rules in the policy
–
Multi-device / multi-process / multi-core scalability
49
Audit Vault
Standby
Deployment Convenience
"
Soft-appliance packaging for firewall and server components
"
Simple installation and staged rollout
– All components are pre-configured; only basic network settings are
required initially
– Start with auditing and extend to monitoring; or vice-versa
– HA mode
"
Convenient agent deployment and upgrade
– Easy agent deployment and upgrade with single downloadable jar file
– Includes all collection plug-ins & local network monitoring
– Comprehensive administrator tools to manage large deployments
51
53
55
Auditing Stored Procedure Calls
57
59
• Deploy secure test system by masking sensitive data
• Extensible template library and policies for automation
• Sophisticated masking: Condition-based, compound, deterministic
• Integrated masking and cloning
• NEW in EM 11g: Heterogeneous Data Masking
• NEW in EM 11g: Pre- and Post-mask commands and command line (EMCLI) support
• NEW in EM 12c: Data Masking integration with Real Application Testing
• NEW in EM 12c: Key-based reversible masking
LAST_NAME SSN SALARY SMITH 111-23-1111 60,000 MILLER 222-34-1345 40,000 LAST_NAME SSN SALARY AGUILAR 203-33-3234 60,000 BENSON 323-22-2943 40,000 Production Test
Secure Test System Deployment
71 Oracle Databases En te rp ris e Ma n ag er Cloujd C o n tr o l w ith D ata Ma sk in g Non-Oracle Databases Production (Oracle) Staging (Oracle) Test (Oracle) Production (non-Oracle) Staging (Oracle) Test (non-Oracle) En te rp ris e Ma n ag er C lo u d C o n tr o l w ith D ata Ma sk in g
Heterogeneous Data Masking
Database Gateway Database Gateway manage manage manage manage monitor § monitor §
§ Available for IBM DB2, Microsoft SQLServer, Sybase
ENTERPRISE-WIDE
CONFIGURATION
74
Comply with IT Policies
Know Where You Stand and Where You’re Headed
• Rich Out of the box content:
– >1700 Compliance Rules
– > 30 Compliance Standards
– Security Recommendations
– Best Practices
– Self Updateable
• Always up to date Compliance Scores
• Historic trend to track progress
• Detailed Violation information:
– Reason for Violation
– Recommended Resolutions
– My Oracle Support Knowledge Articles
Comply with IT Policies
Know Where You Stand and Where You’re Headed
• Rich Out of the box content:
– >1700 Compliance Rules
– > 30 Compliance Standards
– Security Recommendations
– Best Practices
– Self Updateable
• Always up to date Compliance Scores
• Historic trend to track progress
• Detailed Violation information:
– Reason for Violation
– Recommended Resolutions
– My Oracle Support Knowledge Articles
79
Database Security
Defence-In-Depth
Database Encryption
Prevent access by non-database users for data at rest, in motion, and stored data
Database Access + Audit
Increase database user identity assurance
Data Segregation
Monitor database traffic and prevent threats from reaching the database
Data Anonymisation
Mask sensitive data in non-production environments
Database Authentication
Strict access control to application data even from privileged users
Database Secure Configuration
Ensure database production environment is secure and prevent drift
Audit database activity and create reports
Oracle Configuration Manager Oracle Data Masking Oracle Database Vault Oracle Label Security
Oracle Audit Vault + Database Firewall Oracle Advanced Security
Database Security
Defence-In-Depth
Database Encryption
Database Access + Audit
Data Segregation
Data Anonymisation Database Authentication
Database Secure Configuration
82
